Understanding network traffic through Intraflow data
|
|
- Ashley Reynolds
- 6 years ago
- Views:
Transcription
1 Understanding network traffic through Intraflow data David McGrew and Blake Anderson FloCon 2016
2 Exploring threat data features at scale pcap pcap2flow json Offline joy pcap2flow json Online exporter collecto r json
3 Flow Monitoring srcip, dstip, srcport, dstport, prot, starttime, stoptime, numbytes, numpackets Observation Export Collection Analysis Storage Observation Observation
4 I need to understand traffic even when it is encrypted I need to understand all the traffic in my network, not just traffic that passes through a security appliance Known threats and malware Evasive applications and tunnels TLS, SSH, and other encrypted traffic (on any port) Monitoring internal traffic Forensics Crypto usage audit
5 Flow Monitoring srcip, dstip, srcport, dstport, prot, starttime, stoptime, numbytes, numpackets Observation Export Collection Analysis Storage Observation Observation New Data Features
6 Intraflow data Information about events or data inside of flows that can be conveniently collected, stored, and analyzed within a flow monitoring framework
7 Intraflow data Economical observation Unidirectional Minimal computation Small snaplen Application/protocol independence Compactness Observation Transmission and storage Composability
8 Architecture Flow Records Classifier
9 Training architecture Malware Detonation Malware Records Training Classifier Benign Records
10 New Telemetry Data Features Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
11 Enhanced Telemetry Data Types SPLT Sequence of Packet Lengths and Arrival Times src dst Byte Distribution Relative frequency for each byte in a flow Byte Entropy Initial Data Packet
12 Sequence of Packet Lengths and Times Client packets src dst Server packets Time
13 Byte Distribution H T T P / O K f 31 2e f 4b
14 Byte Distribution H T T P / O K f 31 2e f 4b 1
15 Byte Distribution H T T P / O K f 31 2e f 4b 1 1
16 Byte Distribution H T T P / O K f 31 2e f 4b 2 1
17 Byte Distribution H T T P / O K f 31 2e f 4b 1 2 1
18 Byte Distribution for different encodings
19 JSON flow data Conventional flow data Intraflow data Extracted parameters Easy to use with data analytics and machine learning tools
20 Initial Data Packet SYN SYN ACK ACK Data Data Data Data
21 Initial Data Packet SYN SYN ACK IDP ACK Data Data Data Data
22 Experimental results Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
23 Performance CPU: Intel 2.70GHz 17% utilization at 1.0e7 bytes/sec, 1.2e4 packets/sec Approx 870 Mbits/sec at full utilization RAM: 8Gbyte 2.7% utilization (216 Mbyte) Byte Distribution Everything else Flow lookup, alloc, init
24 Detecting malware with SPLT and Byte Distribution Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
25 Analytics User Interface
26 Malware Classification
27 Classifying flows as malicious/benign L1-logistic regression SPLT + 5-tuple L1-logistic regression SPLT + 5-tuple + BD
28 Classifying flows as malicious/benign L1-logistic regression SPLT + 5-tuple 160 non-zero parameters 0.01 FDR: 51.11% Total Accuracy: 98.44% L1-logistic regression SPLT + 5-tuple + BD 128 non-zero parameters 0.01 FDR: 98.92% Total Accuracy: 99.81%
29 Intraflow data Economical observation Unidirectional Minimal computation Small snaplen Application/protocol independence Compactness Observation Transmission and storage Composability SPLT 10 packets 10 bytes 10 bytes Byte Distribution No 256 bytes 256 bytes
30 Intraflow data Economical observation Unidirectional Minimal computation Small snaplen Application/protocol independence Compactness Observation Transmission and storage Composability SPLT 10 packets 10 bytes 10 bytes Byte Distribution No 256 bytes 256 bytes 16 bytes
31 Conclusions Intraflow data is feasible to implement, enables useful inferences SPLT is valuable and relatively cheap Byte Distribution is valuable but more costly Training classifiers is key Data fusion
32 Thank You Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
33 Joy applications pcap pcap2flow json Server Threat Intelligence online pcap2flow json Server Endpoint online pcap2flow json Server SPAN or TAP online pcap2flow json Raspberry Pi Home
Classifying Encrypted Traffic with TLSaware
Classifying Encrypted Traffic with TLSaware Telemetry Blake Anderson, David McGrew, and Alison Kendler blaander@cisco.com, mcgrew@cisco.com, alkendle@cisco.com FloCon 2016 Problem Statement I need to understand
More informationApplied Advanced Network Telemetry: ETA and Beyond
BRKSEC-2809 Applied Advanced Network Telemetry: ETA and Beyond TK Keanini, Principal Engineer Blake Anderson, Technical Leader Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker
More informationAn Introduction to Monitoring Encrypted Network Traffic with "Joy"
An Introduction to Monitoring Encrypted Network Traffic with "Joy" Philip Perricone (SE) Bill Hudson (TL) Blake Anderson (TL) David McGrew (Fellow) Cisco Spark How Questions? Use Cisco Spark to communicate
More informationEncrypted Traffic Analytics
Encrypted Traffic Analytics Introduction The rapid rise in encrypted traffic is changing the threat landscape. As more businesses become digital, a significant number of services and applications are using
More informationConfiguring Encrypted Traffic Analytics
Restrictions for Encrypted Traffic Analytics, page 1 Information about Encrypted Traffic Analytics, page 1 How to Configure Encrypted Traffic Analytics, page 2 Configuration Examples, page 4 Additional
More informationHardware Flow Offload. What is it? Why you should matter?
Hardware Offload What is it? Why you should matter? Good News: Network Speed The market is moving from 10 Gbit to 40/100 Gbit At 40 Gbit frame inter-arrival time is ~16 nsec At 100 Gbit frame inter-arrival
More informationDetecting malware even when it is encrypted
Detecting malware even when it is encrypted Machine Learning for network HTTPS analysis František Střasák strasfra@fel.cvut.cz @FrenkyStrasak Sebastian Garcia sebastian.garcia@agents.fel.cvut.cz @eldracote
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationQuestion No: 2 Which identifier is used to describe the application or process that submitted a log message?
Volume: 65 Questions Question No: 1 Which definition of a fork in Linux is true? A. daemon to execute scheduled commands B. parent directory name of a file pathname C. macros for manipulating CPU sets
More informationCSc 450/550: Computer Communications and Networks (Summer 2007)
1 2 3 4 5 6 CSc 450/550: Computer Communications and Networks (Summer 2007) Lab Project 3: A Simple Network Traffic Analyzer Spec Out: July 6, 2007 Demo Due: July 25, 2007 Code Due: July 27, 2007 7 8 9
More informationHow to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption
How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption Nikos Mourtzinos, CCIE #9763 Cisco Cyber Security Sales Specialist April 2018 New
More informationEncrypted Traffic Security (ETS) White Paper
Encrypted Traffic Security (ETS) White Paper The rapid rise in encrypted traffic is changing the security landscape. As more organizations become digital, an increasing number of services and applications
More informationHidden Figures: Securing what you cannot see
Hidden Figures: Securing what you cannot see TK Keanini, Distinguished Engineer Stealthwatch, Advanced Threat Solutions CID-0006 Hello My Name is TK Keanini Keanini (Pronounced Kay-Ah-Nee-Nee) TK: The
More informationDevoFlow: Scaling Flow Management for High Performance Networks
DevoFlow: Scaling Flow Management for High Performance Networks SDN Seminar David Sidler 08.04.2016 1 Smart, handles everything Controller Control plane Data plane Dump, forward based on rules Existing
More informationFlow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018
Flow Measurement For IT, Security and IoT/ICS Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018 What is Flow Data? Modern method for network monitoring flow
More informationDetecting Hidden Spam Bots (and other tales from the NetFlow front lines) Jim Meehan Director, Product Marketing
Detecting Hidden Spam Bots (and other tales from the NetFlow front lines) Jim Meehan Director, Product Marketing Agenda What is flow data? Legacy solutions and frustrations Modern requirements and architecture
More informationUnderstanding And Using Custom Queries
Purpose This document describes how to use the full flexibility of Nagios to get the most out of your network flow data. Target Audience Network admins performing forensic analysis on a network's flow
More informationIntroduction. Learning Network License Introduction
The following provides an introduction to installing the Cisco Stealthwatch Learning Network License (Learning Network License) platform, installing a controller on an ESXi host, and deploying an agent
More informationMachine Learning with Python
DEVNET-2163 Machine Learning with Python Dmitry Figol, SE WW Enterprise Sales @dmfigol Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationDemystifying Machine Learning
Demystifying Machine Learning Dmitry Figol, WW Enterprise Sales Systems Engineer - Programmability @dmfigol CTHRST-1002 Agenda Machine Learning examples What is Machine Learning Types of Machine Learning
More informationEvidence Gathering for Network Security and Forensics DFRWS EU Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L.
Evidence Gathering for Network Security and Forensics DFRWS EU 2017 Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L. Thing Talk outline Context and problem Objective Evidence gathering framework
More informationA hacker in a hoodie with leather gloves tapping a glowing blue lock icon on a transparent touchscreen with ones and zeroes raining down in green
A hacker in a hoodie with leather gloves tapping a glowing blue lock icon on a transparent touchscreen with ones and zeroes raining down in green onto a circuit board jason SYSTEMATIC NETWORK SECURITY
More informationHow to Read Debug Output
How to Read Debug Output Hillstone Networks Inc. 28/10/2015 1 / 16 Index 1 Preface... 3 2 Basic Debug Process... 3 3 Scenario: Traffic Flow is Disconnected... 5 3.1 Topology... 5 3.2 Case 1... 5 3.3 Case
More informationBro-Osquery. Let Bro know about the hosts it monitors. Steffen Haas Department of Computer Science IT Security and Security Management (ISS)
Steffen Haas Department of Computer Science IT Security and Security Management (ISS) Bro-Osquery Bro Network Monitor https://www.bro.org Let Bro know about the hosts it monitors Osquery Host Monitor https://osquery.io/
More informationEnhanced Threat Detection, Investigation, and Response
Enhanced Threat Detection, Investigation, and Response What s new in Cisco Stealthwatch Enterprise Release 6.10.2 Cisco Stealthwatch Enterprise is a comprehensive visibility and security analytics solution
More informationSharing is Caring: Improving Detection with Sigma
SANS Tactical Detection and Data Analytics Summit 2018 Sharing is Caring: Improving Detection with Sigma John Hubbard (@SecHubb) The Blue Team's Journey Sharing is Caring - John Hubbard @SecHubb 2 Blue
More informationImplementing Cisco Network Security (IINS) 3.0
Implementing Cisco Network Security (IINS) 3.0 COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationDetecting malware even when it is encrypted
Detecting malware even when it is encrypted Machine Learning for network HTTPS analysis František Střasák strasfra@fel.cvut.cz @FrenkyStrasak Sebastian Garcia sebastian.garcia@agents.fel.cvut.cz @eldracote
More informationOutline. Motivation. Our System. Conclusion
Outline Motivation Our System Evaluation Conclusion 1 Botnet A botnet is a collection of bots controlled by a botmaster via a command and control (C&C) channel Centralized C&C, P2P-based C&C Botnets serve
More informationRequest for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )
Appendix 1 1st Tier Firewall The Solution shall be rack-mountable into standard 19-inch (482.6-mm) EIA rack. The firewall shall minimally support the following technologies and features: (a) Stateful inspection;
More informationChapter 5 End-to-End Protocols
Chapter 5 End-to-End Protocols Transport layer turns the host-to-host packet delivery service of the underlying network into a process-to-process communication channel Common properties that application
More informationAn Experimental Analysis on Iterative Block Ciphers and Their Effects on VoIP under Different Coding Schemes
An Experimental Analysis on Iterative Block Ciphers and Their Effects on VoIP under Different Coding Schemes Gregory Epiphaniou 1 Carsten Maple 1 Paul Sant 1 Matthew Reeves 2 1 Institute for Research in
More informationLanguages for Software-Defined Networks
Languages for Software-Defined Networks Nate Foster, Michael J. Freedman, Arjun Guha, Rob Harrison, Naga Praveen Katta, Christopher Monsanto, Joshua Reich, Mark Reitblatt, Jennifer Rexford, Cole Schlesinger,
More informationStealthwatch ülevaade + demo ja kasutusvõimalused. Leo Lähteenmäki
Stealthwatch ülevaade + demo ja kasutusvõimalused Leo Lähteenmäki 09:00-9:30 Hommikukohv ja registreerimine 09:30 11:15 Stealthwatch ülevaade + demo ja kasutusvõimalused 11:00 11:15 Kohvipaus 11:15 12:00
More informationERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016
Abstract The Mirai botnet struck the security industry in three massive attacks that shook traditional DDoS protection paradigms, proving that the Internet of Things (IoT) threat is real and the grounds
More informationTurboFlow: Information Rich Flow Record Generation on Commodity Switches
Turbo: Information Rich Record Generation on Commodity Switches John Sonchack 1, Adam J. Aviv 2, Eric Keller 3, Jonathan M. Smith 1 1 University of Pennsylvania, 2 USNA, 3 University of Colorado Introduction:
More informationData Mining for Improving Intrusion Detection
Data Mining for Improving Intrusion Detection presented by: Dr. Eric Bloedorn Team members: Bill Hill (PI) Dr. Alan Christiansen, Dr. Clem Skorupka, Dr. Lisa Talbot, Jonathan Tivel 12/6/00 Overview Background
More informationGTRC Hosting Infrastructure Reports
GTRC Hosting Infrastructure Reports GTRC 2012 1. Description - The Georgia Institute of Technology has provided a data hosting infrastructure to support the PREDICT project for the data sets it provides.
More informationDeep Learning for Malicious Flow Detection
Deep Learning for Malicious Flow Detection Yun-Chun Chen 1 Yu-Jhe Li 1 Aragorn Tseng 1 Tsungnan Lin 1,2 1: National Taiwan University 2: Institute for Information Industry Yun-Chun Chen (NTUEE) Deep Learning
More informationNetwork Security Monitoring with Flow Data
Network Security Monitoring with Flow Data IT Monitoring in Enterprises NPMD (Network Performance Monitoring & Diagnostics) SNMP basics Flow data for advanced analysis and troubleshooting Packet capture
More informationTunnel within a network
VPN Tunnels David Morgan Tunnel within a network B C E G H I A D F - Packet stream of protocol X - Packet stream of protocol Y - Packet stream: X over Y or X tunneled in/through Y 1 Packet encapsulation
More informationUsing Flexible NetFlow Top N Talkers to Analyze Network Traffic
Using Flexible NetFlow Top N Talkers to Analyze Network Traffic Last Updated: September 4, 2012 This document contains information about and instructions for using the Flexible NetFlow--Top N Talkers Support
More informationListening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect
Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect Introduction Security has an increased focus from ALL businesses, whether they
More informationCommunicating the results of pcap data analysis through common metadata format
Communicating the results of pcap data analysis through common metadata format Youki Kadobayashi NICT (National Inst of Comm Tech) / NAIST (Nara Inst of Sci & Tech) / WIDE youki-k is.naist.jp 1 Anomaly
More informationOff-Path TCP Exploits : Global Rate Limit Considered Dangerous
Off-Path TCP Exploits : Global Rate Limit Considered Dangerous Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V. Krishnamurthy, University of California, Riverside; Lisa M. Marvel, United
More informationMapping of Address and Port Using Translation
The feature provides connectivity to IPv4 hosts across IPv6 domains. Mapping of address and port using translation (MAP-T) is a mechanism that performs double translation (IPv4 to IPv6 and vice versa)
More informationSubscriber Data Correlation
Subscriber Data Correlation Application of Cisco Stealthwatch to Service Provider mobility environment Introduction With the prevalence of smart mobile devices and the increase of application usage, Service
More informationEncrypted Traffic Analytics Deployment Guide
Cisco Validated design Encrypted Traffic Analytics Deployment Guide December 2017 Table of Contents Table of Contents Introduction... 1 Design Overview... 2 Components at a Glance...6 Use Cases... 10 Crypto
More informationQuality of Service for VPNs
The QoS for VPNs feature provides a solution for making Cisco IOS QoS services operate in conjunction with tunneling and encryption on an interface. Cisco IOS software can classify packets and apply the
More informationNetwork Control, Con t
Network Control, Con t CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/
More informationQueue Overflow. Dropping Packets. Tail Drop. Queues will always sometimes overflow. But Cause more variation in delay (jitter)
Queue Overflow Queues will always sometimes overflow Can reduce chances by allocating more queue memory But Cause more variation in delay (jitter) So Often want only short queues Just enough to cope with
More informationMonitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks
Monitoring and diagnostics of data infrastructure problems in power engineering Jaroslav Stusak, Sales Director CEE, Flowmon Networks 35,000 kilometers of electric power, which feeds around 740,000 clients...
More informationARIA SDS. Application
ARIA SDS Packet Intelligence Application CSPi s ARIA SDS Packet Intelligence (PI) application enhances an organization s existing network security capabilities by enabling the monitoring of all network
More informationCisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics
Solution Overview Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics BENEFITS Gain visibility across all network conversations, including east-west and north-south
More informationIntel 10Gbe status and other thoughts. Linux IPsec Workshop Shannon Nelson Oracle Corp March 2018
Intel 10Gbe status and other thoughts Linux IPsec Workshop 2018 Shannon Nelson Oracle Corp March 2018 2 Summary 10Gbe Niantic and family have IPsec HW offload Initial driver support came out in v4.15 Approx
More informationCNIT 121: Computer Forensics. 9 Network Evidence
CNIT 121: Computer Forensics 9 Network Evidence The Case for Network Monitoring Types of Network Monitoring Types of Network Monitoring Event-based alerts Snort, Suricata, SourceFire, RSA NetWitness Require
More informationConcept: Traffic Flow. Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig
Concept: Traffic Flow Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig 1 Passive measurement capabilities: Packet monitors Available data: All protocol information All content Possible analysis: Application
More informationThe case for ubiquitous transport-level encryption
1/25 The case for ubiquitous transport-level encryption Andrea Bittau, Michael Hamburg, Mark Handley, David Mazières, and Dan Boneh Stanford and UCL November 18, 2010 Goals 2/25 What would it take to encrypt
More informationStudying the Security in VoIP Networks
Abstract Studying the Security in VoIP Networks A.Alseqyani, I.Mkwawa and L.Sun Centre for Security, Communications and Network Research, Plymouth University, Plymouth, UK e-mail: info@cscan.org Voice
More informationCisco Stealthwatch Endpoint License with Cisco AnyConnect NVM
Cisco Stealthwatch Endpoint License with Cisco AnyConnect NVM How to implement the Cisco Stealthwatch Endpoint License with the Cisco AnyConnect Network Visibility Module Table of Contents About This Document...
More informationUser Role Firewall Policy
User Role Firewall Policy An SRX Series device can act as an Infranet Enforcer in a UAC network where it acts as a Layer 3 enforcement point, controlling access by using IP-based policies pushed down from
More informationMonitoring and Analysis
CHAPTER 3 Cisco Prime Network Analysis Module 5.1 has two types of dashboards: One type is the summary views found under the Monitor menu, and the other type is the over time views found under the Analyze
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking
More informationIntegration Debugging Information
APPENDIXC June 18, 2013, Debugging Information for Cisco Adaptive Security Appliance, page C-1 Debugging Access Edge and OCS Server, page C-5 Debugging Information for Cisco Adaptive Security Appliance
More informationFloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer
10 January 2017 FloCon 2017 San Diego, CA Netflow Collection and Analysis at a Tier 1 Internet Peering Point Fred Stringer AT&T Chief Security Organization Systems Engineer/Network Architect AT&T Intellectual
More informationContents. Introduction. Prerequisites. Background Information
Contents Introduction Prerequisites Background Information Limitation Configure Network Diagram Initial configuration R2 R3 IPSec configuration R2 EzPM configuration Workaround Verify Troubleshooting Related
More informationTECHNICAL NOTE CLEARPASS PROFILING QUICK START GUIDE
TECHNICAL NOTE CLEARPASS PROFILING QUICK START GUIDE REVISION HISTORY Revised By Date Changes Dennis Boas Aug 2016 Version 1 initial release 1344 CROSSMAN AVE SUNNYVALE, CA 94089 1.866.55.ARUBA T: 1.408.227.4500
More informationASA 8.x/ASDM 6.x: Add New VPN Peer Information in an Existing Site-to-Site VPN using ASDM
ASA 8.x/ASDM 6.x: Add New VPN Peer Information in an Existing Site-to-Site VPN using ASDM Contents Introduction Prerequisites Requirements Components Used Conventions Backround information ASDM Configuration
More informationFlexible NetFlow - Top N Talkers Support
This document contains information about and instructions for using the Flexible NetFlow - Top N Talkers Support feature. The feature helps you analyze the large amount of data that Flexible NetFlow captures
More informationConfiguring the Botnet Traffic Filter
CHAPTER 46 Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary
More informationNetwork Tools. Contents. Saurabh Barjatiya Mon. 1 Port scanning (nmap) 2
Network Tools Saurabh Barjatiya 2012-03-19 Mon Contents 1 Port scanning (nmap) 2 2 Capturing packets at command line (tcpdump) 3 2.1 About tcpdump.......................... 3 2.2 Useful command line options..................
More informationCAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes
CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes Martin Rehak, Pavel Celeda, Michal Pechoucek, Jiri Novotny CESNET, z. s. p. o. Gerstner Laboratory
More informationStonesoft Next Generation Firewall. Release Notes Revision C
Stonesoft Next Generation Firewall Release Notes 5.10.4 Revision C Table of contents 1 About this release...3 System requirements... 3 Build version...6 Compatibility...7 2 New features...8 3 Enhancements...
More informationLab 3: Packet Capture (IDS and ARP Detection)
Lab 3: Packet Capture (IDS and ARP Detection) Details Aim: To provide an understanding of building a basic Intrusion Detection System (IDS) using C# and WinPCap. Overview This tutorial shows how it is
More informationImpact of Sampling on Anomaly Detection
Impact of Sampling on Anomaly Detection DIMACS/DyDan Workshop on Internet Tomography Chen-Nee Chuah Robust & Ubiquitous Networking (RUBINET) Lab http://www.ece.ucdavis.edu/rubinet Electrical & Computer
More informationCS 356: Computer Network Architectures. Lecture 17: End-to-end Protocols and Lab 3 Chapter 5.1, 5.2. Xiaowei Yang
CS 356: Computer Network Architectures Lecture 17: End-to-end Protocols and Lab 3 Chapter 5.1, 5.2 Xiaowei Yang xwy@cs.duke.edu Transport protocols Before: How to deliver packet from one host to another
More informationEE 122: Transport Protocols: UDP and TCP
EE 122: Transport Protocols: and provides a weak, but efficient service model (best-effort) - Packets can be delayed, dropped, reordered, duplicated - Packets have limited size (why?) packets are addressed
More informationCompetitive Analysis. Version 1.0. February 2017
Competitive Analysis Version 1.0 February 2017 WWW.SOLIDASYSTEMS.COM Introduction This document discusses competitive advantages between Systems security appliances and other security solutions in the
More informationJunos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services
Junos Security Chapter 4: Security Policies 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter,
More informationMininet & OpenFlow 19/05/2017
Mininet & OpenFlow 19/05/2017 Setup 1: Mininet-based Single Switch sudo mn --topo single,3 --switch ovsk --controller remote c0 Controller port6633 virtual switch loopback (127.0.0.1:6633) s1 OpenFlow
More informationCisco Advanced Malware Protection (AMP) for Endpoints
Cisco Advanced Malware Protection (AMP) for Endpoints Endpoints continue to be the primary point of entry for attacks! 70% of breaches start on endpoint devices WHY? Gaps in protection Gaps in visibility
More informationDetecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0
Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0 April 9, 2012 Comments and errata should be directed to: cyber- tm@cisco.com Introduction One of the most common network
More informationUsing traffic snapshots to detect DDoS attacks From state-of-the-art approaches to the industry
Using traffic snapshots to detect DDoS attacks From state-of-the-art approaches to the industry Gilles Roudière 1 (PhD student) Philippe Owezarski 1, François Devienne 2 (Supervisors) 1, {gilles.roudiere,
More informationDenial-of-Service (DoS), continued
Denial-of-Service (DoS), continued CS 161: Computer Security Prof. David Wagner April 4, 2016 Transport-Level Denial-of-Service Recall TCP s 3-way connection establishment handshake Goal: agree on initial
More informationUnderstanding Cisco Cybersecurity Fundamentals
210-250 Understanding Cisco Cybersecurity Fundamentals NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 210-250 Exam on Understanding Cisco
More informationSUPC: SDN enabled Universal Policy Checking in Cloud Network
SUPC: SDN enabled Universal Policy Checking in Cloud Network Ankur Chowdhary, Adel Alshamrani, and Dijiang Huang Arizona State University {achaud16, aalsham4, dijiang}@asu.edu arxiv:1811.00657v1 [cs.cr]
More informationThis release of the product includes these new features that have been added since NGFW 5.5.
Release Notes Revision B McAfee Next Generation Firewall 5.7.4 Contents About this release New features Enhancements Known limitations Resolved issues System requirements Installation instructions Upgrade
More informationPredictive Analytics using Teradata Aster Scoring SDK
Predictive Analytics using Teradata Aster Scoring SDK Faraz Ahmad Software Engineer, Teradata #TDPARTNERS16 GEORGIA WORLD CONGRESS CENTER At Teradata, we believe. Analytics and data unleash the potential
More informationCharacterization of ESnet LAN traffic at LBNL and the Comparison Between TCPDUMP Collection and NetFlow Sampling.
Characterization of ESnet LAN traffic at LBNL and the Comparison Between TCPDUMP Collection and NetFlow Sampling. Esnet Measurements Team measurements@es.net Mike Collins - Author Chin Guok - Measurement
More informationWe re Gonna Need a Bigger Boat
SESSION ID: CSV-F01 We re Gonna Need a Bigger Boat Alan Ross Senior Principal Engineer Intel Corporation Grant Babb Research Scientist Intel Corporation IT Analytics: All about the changing Enterprise
More informationMcAfee Next Generation Firewall (Stonesoft)
McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: McAfee Next Generation Firewall (Stonesoft) September 2, 2014 McAfee NGFW Page 1 of 7 Important Note: The information contained
More informationNetwork Security Platform 8.1
8.1.3.6-8.1.3.5 M-series Release Notes Network Security Platform 8.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation
More informationImplementing Cisco Cybersecurity Operations
210-255 Implementing Cisco Cybersecurity Operations NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 210-255 Exam on Implementing Cisco
More informationThe IDP system generates logs for device events and security events. Table 1 summarizes options for viewing and managing logs.
IDP Logs Overview The IDP system generates logs for device events and security events. Device event logs are related to the operation of the IDP appliance. By default, the system logs events when it reaches
More informationCisco Tetration Analytics
Cisco Tetration Analytics Real-time application visibility and policy management using advanced analytics Yogesh Kaushik, Sr. Director Product Management PSOACI-2100 Agenda Market context Introduction:
More informationResearch on adaptive network theft Trojan detection model Ting Wu
International Conference on Advances in Mechanical Engineering and Industrial Informatics (AMEII 215) Research on adaptive network theft Trojan detection model Ting Wu Guangdong Teachers College of Foreign
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Christian Grothoff, Ph.D. Dr. Nils
More informationTroubleshooting High CPU Utilization Due to the IP Input Process
Troubleshooting High CPU Utilization Due to the IP Input Process Document ID: 41160 Contents Introduction Prerequisites Requirements Components Used Conventions IP Input Sample IP Packet Debugging Session
More information2
1 2 3 4 5 6 libpcap: h0p://www.tcpdump.org/ 7 Some discussion quesaons to make sure that students are all at a reasonable level: 1. What are some examples of protocols at each layer? 1. FDDI, token ring,
More informationSecurity Monitoring with Stealthwatch:
Security Monitoring with Stealthwatch: The Detailed Walkthrough Matthew Robertson, Technical Marketing Engineer BRKSEC-3014 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the
More information